Skype Risk Analysis

I spent some time reviewing the risks of Skype, a popular VoIP application. I figured since i put the time into reading it, I'd condense my thoughts into an article on the subject.
Disclaimer: I don't claim to have any inside knowledge of the workings of Skype. The only information I have is based on documentation that is publicly available on their website, as well as a few other analyses I have seen on the web.

Overview

Skype is a popular Voice over IP (VoIP) system, created by Niklas Zennström and Janus Friis, founders of KaZaA. Similar to KaZaA, Skype is based on Peer-to-Peer (P2P) technology. While other VoIP services use a centralized server to manage communications sessions, Skype software clients directly interact with each other to ensure that the network directory is up to date and that calls are quickly completed. This P2P network allows clients in different locations to locate each other and send text messages, hold voice calls, and exchange data files.

Unlike KaZaA, which earns its revenue from advertisements, the Skype client contains no adware and spyware, at least at the time of this writing. Also, calls between Skype clients are free of charge. Instead, the Skype system earns revenue by charging for the use of the gateway that interconnects the Skype network with the regular telephone system.

Another important detail to note is that KaZaA 3.0 contains its own integrated Skype client, so users of Skype may also be communicating with users of KaZaA, rather than just Skype users.

Although some of the files that are traded over KaZaA are exchanged with the permission of the copyright holders, it appears that the primary use of KaZaA appears to be the illegal exchange of copyrighted songs and movies.

Description of Skype services

The Skype client can perform the following functions:

• Voice calling to another Skype user
• Voice conference calling
• Voice calling to traditional telephone lines (SkypeOut)
• Voice calling from traditional telephone lines (SkypeIn)
• Chat, providing instant messaging for groups of up to 48 participants
• Cross-platform file transfer
• Directory and presence management

Skype client software is compatible with the following platforms: Windows XP, Windows 2000, Linux, Apple Macintosh OS X, and Pocket PCs running Windows Mobile 2003.

Network Requirements

At a minimum, the following conditions must be true of the network being used by the computer running Skype for the Skype client to communicate :

• Outgoing TCP connections should be allowed to remote ports 1024 and higher.
• Outgoing TCP connections should be allowed to remote ports 80 and 443.
• Outgoing UDP packets should be allowed to remote ports 1024 and higher. For UDP to be useful to Skype, the NAT must allow for replies to be returned to sent UDP datagrams. (The state of UDP “connections” must be kept for at least 30 seconds, and Skype recommends that these translations be maintained for as long as an hour, if possible.)
• The NAT translation should provide consistent translation, meaning that outgoing address translation is usually the same for consecutive outgoing UDP packets.

Skype is very effective at circumventing the restrictions of firewalls and Network Address Translation (NAT), provided most of the above requirements are met.

Skype Security

When discussing the security of a VoIP solution, there are a number of factors to take into account.

Authentication – the only authentication being done by Skype is based on a user name and password. Obviously, no one should ever share their Skype user name and password, or have it saved on their computer. Potentially, anyone with User A’s user name and password could install a copy of the Skype client, and receive calls that were intended for User A. Equally likely is the scenario where User B “borrows” User A’s laptop, and is able to use the Skype client with a saved password. Of course, even if User B receives a call intended for User A, it is likely that the caller would be able to identify User A by their voice, in many cases.

Encryption – According to Skype, all message contents between any pair of Skype users is encrypted end to end by utilizing the RSA encryption algorithm for key exchange and Advanced Encryption Standard (AES) in its AES-256 mode as its bulk encryption algorithm. The key for a Skype session is unique to that session and is not re-used. However, Skype does not publish its key exchange algorithm or its over-the-wire protocol and has not explained the underlying design of its certificates, is authentication system, or its encryption implementation. Therefore it is impossible to validate the company's claims regarding encryption.

Integrity – Software running on P2P networks could have wide-ranging implications that are not completely understood yet. While the Skype client does not currently include any spyware or adware, there are no guarantees that it might not include them in the future. Also, as Skype is a completely closed-source system, it is harder to determine if the software contains vulnerabilities that could be exploited by malicious users.

Bandwidth – If a Skype client makes a voice call to one person, the bandwidth usage is minimal, approximately 70kbps. However, if conference calling is used, or multiple users are running the Skype client, this can add up very quickly, and have an impact on internet bandwidth.

File Transfer – Similar to Instant Messaging programs, and other P2P applications the Skype client can be used as a file transfer utility. This could potentially allow confidential information to be sent to unauthorized individuals.

Malware Vector – As mentioned above, files could be transferred between Skype clients. This could allow a virus to be brought into the network if the Skype client connects to another computer that is infected. Skype poses more risk than programs like KaZaA because they have built-in anti-virus protection that scans programs as they are downloaded; Skype appears to have no such protection.

Conclusion

In some ways, the voice functionality of Skype appears to have more security than traditional telephone networks, based on the fact that the sessions are encrypted. However, we have no way of knowing how well the encryption is implemented, considering this is a closed source product. It is also feasible that the Skype system could be compromised by a skillful attacker, or by a motivated insider.

The larger concern is the risk of having unwanted software introduced by the Skype client. While the file transfer functionality is an easily recognizable vector, a less obvious risk is that the application itself could be compromised. If a buffer overflow could be utilized to make the application accept a malicious file and execute it, any connection made to the Skype client could be a potential attack.

I am attempting to present both sides of the issue in this analysis. The choice is yours whether this application is enough of a risk to restrict its use in your organization.